LSASS 加载可疑模块

识别 LSASS 加载未签名或不受信任的 DLL。Windows 安全支持提供程序 (SSP) DLL 在系统启动时加载到 LSSAS 进程中。一旦加载到 LSA 中，SSP DLL 就可以访问存储在 Windows 中的加密和明文密码，例如任何已登录用户的域密码或智能卡 PIN。

规则类型: eql

规则索引:

logs-endpoint.events.library-*
endgame-*

严重性: 中等

风险评分: 47

运行频率: 5 分钟

搜索索引时间范围: now-9m (日期数学格式，另见 额外回溯时间)

每次执行的最大告警数: 100

参考资料:

标签:

领域：端点
操作系统：Windows
用例：威胁检测
战术：凭据访问
数据来源：Elastic Defend
数据来源：Elastic Endgame

版本: 9

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

any where event.category in ("library", "driver") and host.os.type == "windows" and
  process.executable : "?:\\Windows\\System32\\lsass.exe" and
  not (dll.code_signature.subject_name :
               ("Microsoft Windows",
                "Microsoft Corporation",
                "Microsoft Windows Publisher",
                "Microsoft Windows Software Compatibility Publisher",
                "Microsoft Windows Hardware Compatibility Publisher",
                "McAfee, Inc.",
                "SecMaker AB",
                "HID Global Corporation",
                "HID Global",
                "Apple Inc.",
                "Citrix Systems, Inc.",
                "Dell Inc",
                "Hewlett-Packard Company",
                "Symantec Corporation",
                "National Instruments Corporation",
                "DigitalPersona, Inc.",
                "Novell, Inc.",
                "gemalto",
                "EasyAntiCheat Oy",
                "Entrust Datacard Corporation",
                "AuriStor, Inc.",
                "LogMeIn, Inc.",
                "VMware, Inc.",
                "Istituto Poligrafico e Zecca dello Stato S.p.A.",
                "Nubeva Technologies Ltd",
                "Micro Focus (US), Inc.",
                "Yubico AB",
                "GEMALTO SA",
                "Secure Endpoints, Inc.",
                "Sophos Ltd",
                "Morphisec Information Security 2014 Ltd",
                "Entrust, Inc.",
                "Nubeva Technologies Ltd",
                "Micro Focus (US), Inc.",
                "F5 Networks Inc",
                "Bit4id",
                "Thales DIS CPL USA, Inc.",
                "Micro Focus International plc",
                "HYPR Corp",
                "Intel(R) Software Development Products",
                "PGP Corporation",
                "Parallels International GmbH",
                "FrontRange Solutions Deutschland GmbH",
                "SecureLink, Inc.",
                "Tidexa OU",
                "Amazon Web Services, Inc.",
                "SentryBay Limited",
                "Audinate Pty Ltd",
                "CyberArk Software Ltd.",
                "McAfeeSysPrep",
                "NVIDIA Corporation PE Sign v2016",
                "Trend Micro, Inc.",
                "Fortinet Technologies (Canada) Inc.",
                "Carbon Black, Inc.") and
       dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and

     not dll.hash.sha256 :
                ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
                 "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
                 "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
                 "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
                 "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
                 "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
                 "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
                 "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
                 "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")

框架: MITRE ATT&CK^TM

战术
- 名称：凭据访问
- ID：TA0006
- 参考网址：https://attack.mitre.org/tactics/TA0006/
技术
- 名称：操作系统凭据转储
- ID：T1003
- 参考网址：https://attack.mitre.org/techniques/T1003/
子技术
- 名称：LSASS 内存
- ID：T1003.001
- 参考网址：https://attack.mitre.org/techniques/T1003/001/

« 可疑的 Modprobe 文件事件未知可执行文件进行的可疑互联网网络活动 »